The National Security Agency (NSA) is the font of information security wisdom for the US defense and intelligence communities. But apparently, the NSA's own network security is so weak that a single administrator was able to hijack the credentials of a number of NSA employees with high-level security clearances and use them to download data from the agency's internal networks. That administrator was Edward Snowden.

Under Department of Defense (DOD) Directive 8500.2, the director of the NSA, Gen. Keith Alexander, is tasked with approving all the cryptographic hardware and software used by the DOD. The NSA also provides "information assurance" and information system security engineering services to DOD branches and agencies. And along with the National Institute of Standards and Technology, the NSA maintains the master guide for DOD information security systems: the Information Assurance Technical Framework (IATF).

But in what appears to be a case of "do as I say, not as I do," the NSA's internal IT security schemes allowed Snowden, a contractor sysadmin, to pull off a classic insider attack on the agency. An investigation by NBC found that Snowden had used the digital identities of several upper-level NSA officials to log into NSAnet, the agency's intranet—giving him access to data far beyond the needs of a lowly system administrator.

Attack of the superuser

The systems accessed by Snowden limit access by user role, so he could not have used his own credentials on them without overriding access controls. Officials familiar with the case told NBC that Snowden had obtained the "profiles" of a number of NSA employees that have been identified through forensic examination of logs, finding periods when the employees were traveling but their accounts were still used to access the intranet. If Snowden used administrative privileges to reset their passwords, failed logins might have flagged a problem—but they might have simply been shrugged off as passwords forgotten over vacation.

In order to pull this off without raising alarms, Snowden would have needed access to the full credentials of the users whose identities he borrowed. He would have needed to somehow either gain access to the public key infrastructure (PKI) keys found in their user authentication or he would have needed to override multi-factor authentication to gain access to the systems. He also would have needed to avoid detection by audit logs in making those changes (or delete the record of changes after the fact). He managed to do all of these things, download the content, and get it past the NSA's physical security.

Some or all of this trouble could have been avoided if the NSA had followed its own playbook a bit more closely and used administrative and security best practices that are common across government, the financial industry, and other networks where access control auditing and the non-repudiation of data are mandated by laws, regulations, and the nature of the business. Giving an administrator the ability to gain access to user credentials—and the log systems that monitor changes to those credentials—is a classic bad move in network security. As Oracle points out in its documentation for its Enterprise Manager administration tool, "Giving the same level of access to all systems to all administrators is dangerous." In most sensitive enterprise systems, administrators' access powers are limited to very specific roles to prevent giving them the power to compromise multiple systems, making it more difficult for an insider to attack systems and cover his or her tracks.

In the wake of the Snowden breach, Gen. Alexander announced that the NSA would implement two-person administrative requirements; that's a measure that's been recommended by the IATF for over a decade. "Limits can be placed on each individual’s authorized privileges," the IATF says. "The application and the security features it provides can also partly counter these threats with features such as audit, two-person administrative requirements, and covert access prevention and detection." Covert access prevention and detection would include monitoring login locations and watching for attempts to get at data from ways other than through the approved front-end (such as trying to pull directly from a disk directory instead of going through the intranet server).

Networks classified as secret and above at the DOD are supposed to be protected by layers of intrusion detection and automated auditing systems. Security event information management (SEIM) systems and other internal network monitoring tools can be configured to catch log events that human eyes might miss—like a user from Fort Meade logging in unexpectedly from a station in Hawaii. A number of SEIM systems are used by organizations within the DOD for security auditing.

But based on statements by Gen. Alexander and reports about the breach, it appears that the NSA—the agency responsible for monitoring the networks of the world—didn't have a great deal of automated monitoring inside its own firewalls. Instead of using automated systems, the NSA apparently depends on an army of system administrators for its internal defenses—administrators like Edward Snowden. With masses of log data to check through, Snowden likely slipped past the eyes of other administrators or managed to delete or alter log records before they raised suspicion.

The NSA reportedly still doesn't know the extent of what Snowden extracted from the agency's intranet, and investigators are poring over access logs to try to find conflicts that would indicate which users' accounts Snowden used. Given the apparent superuser powers Snowden was able to wield—and the apparent lack of insider threat protection the agency had in place—they may never fully know.